Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVEs (5,964)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-23692 1Dell 1Emc Data Domain Os Jun 17, 2026 Feb 1, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability. An authenticated non admin attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on...Show more Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability. An authenticated non admin attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Show less
CVE-2022-25916 1Mt7688 Wiscan Project 1Mt7688 Wiscan Jun 17, 2026 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Versions of the package mt7688-wiscan before 0.8.3 are vulnerable to Command Injection due to improper input sanitization in the 'wiscan.scan' function.
CVE-2022-25906 1Is Http2 Project 1Is Http2 Jun 17, 2026 Feb 1, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.
CVE-2022-21129 1Paypal 1Nemo Appium Jun 17, 2026 Jan 31, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. Note: In order to exploit this vulnerability appium-ru...Show more Versions of the package nemo-appium before 0.0.9 are vulnerable to Command Injection due to improper input sanitization in the 'module.exports.setup' function. Note: In order to exploit this vulnerability appium-running 0.1.3 has to be installed as one of nemo-appium dependencies. Show less
CVE-2022-42484 2Freshtomato Siretta 2Freshtomato Quartz Gold Firmware Jun 17, 2026 Jan 30, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request...Show more An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2022-48108 1Dlink 1Dir 878 Firmware Jun 17, 2026 Jan 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /SetNetworkSettings/SubnetMask. This vulnerability allows attackers to escalate privileges to root via a crafted payl...Show more D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /SetNetworkSettings/SubnetMask. This vulnerability allows attackers to escalate privileges to root via a crafted payload.Show less
CVE-2022-48107 1Dlink 1Dir 878 Firmware Jun 17, 2026 Jan 27, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted paylo...Show more D-Link DIR_878_FW1.30B08 was discovered to contain a command injection vulnerability via the component /setnetworksettings/IPAddress. This vulnerability allows attackers to escalate privileges to root via a crafted payload.Show less
CVE-2022-48072 1Phicomm 1K2 Firmware Jun 17, 2026 Jan 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Phicomm K2G v22.6.3.20 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
CVE-2022-48070 1Phicomm 1K2 Firmware Jun 17, 2026 Jan 27, 2023 N/A· v4 7.8 HIGH· v3 N/A· v2 Phicomm K2 v22.6.534.263 was discovered to contain a command injection vulnerability via the autoUpTime parameter in the automatic upgrade function.
CVE-2022-48069 1Totolink 1A830r Firmware Jun 17, 2026 Jan 27, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 Totolink A830R V4.1.2cu.5182 was discovered to contain a command injection vulnerability via the QUERY_STRING parameter.
CVE-2022-42493 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a netw...Show more Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.Show less
CVE-2022-42492 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a netw...Show more Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_AD command.Show less
CVE-2022-42491 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a netw...Show more Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's M2M_CONFIG_SET commandShow less
CVE-2022-42490 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a netw...Show more Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_CFG_FILE commandShow less
CVE-2022-40969 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can...Show more An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2022-40222 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacke...Show more An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.Show less
CVE-2022-40220 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attac...Show more An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.Show less
CVE-2022-38066 1Siretta 1Quartz Gold Firmware Jun 17, 2026 Jan 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send...Show more An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.Show less
CVE-2023-24422 1Jenkins 1Script Security Jun 17, 2026 Jan 26, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to b...Show more A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.Show less
CVE-2022-29843 1Westerndigital 8My Cloud Dl2100 Firmware My Cloud Dl4100 FirmwareMy Cloud Ex2100 Firmware+5 more Jun 17, 2026 Jan 26, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A command injection vulnerability in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to execute code in the context of the root user.

Previous 1...158159160...299 Next